• Tidak ada hasil yang ditemukan

PDF Linux 2.4 Advanced Routing HOWTO

N/A
N/A
Info
Unduh - Bebas
Nguyễn Gia Hào

Academic year: 2023

Membagikan "PDF Linux 2.4 Advanced Routing HOWTO"

Copied!
64
0
0

Memuat.... (Lihat teks lengkap sekarang)

Unduh sekarang ( 64 Halaman )

Teks penuh

However, please consider posting to the mailing list (see the relevant section) if you have questions not directly related to this HOWTO. Before you lose your way in this HOWTO, if all you want to do is simple traffic shaping, skip everything and go to the 'Other Possibilities' chapter, and read about CBQ.init.

Disclaimer & License

Prior knowledge

What Linux can do for you

Housekeeping notes

Access, CVS & submitting updates

Mailing list

Layout of this document

Prerequisites

Exploring your current configuration

The MTU (Maximum Transfer Unit) size is 3924 octets and is not supposed to be queued. I'll skip the fake interface for now and it may not be present on your computer.

Then there are my two physical network interfaces, one on the side of my cable modem, the other serves my home ethernet segment. If you're having trouble, see the documentation mentioned at the beginning of this HOWTO.

ARP

If you want to use this feature, make sure your core is configured with the "IP: advanced router" and. Let's take a real example again, I have 2 (actually 3, about time I return them) cable modems, connected to a Linux NAT ('masking') router.

A few general remarks about tunnels

It is left as an exercise for the reader to implement this in ip-up. There are IP in IP tunnels, GRE tunnels, and tunnels that live outside the core (such as PPTP, for example).

IP in IP tunneling

As for compatibility, this code has been around for a long time, so it is compatible up to 1.3 kernels. Linux IP-in-IP tunneling doesn't work with other operating systems or routers, as far as I know.

GRE tunneling

IPv4 Tunneling

As for network C, we assume that it will pass any packet sent from A to B and vice versa. Furthermore, we told it to use the GRE protocol (mode gre), that the remote address is the router on the other side), that our tunnel packets should originate from which your router can have multiple IP addresses on network C and your lets decide which one to use for tunneling) and that the TTL field of the packet should be set to 255 (ttl 255).

IPv6 Tunneling

Userland tunnels

However, if you don't have Cisco available, try one of the many IPv6 tunnel brokers available on the Internet. However, the Internet is mostly based on TCP/IP, which has some features that help us.

First attempt at bandwidth division

By modifying the queue on eth0, we determine how fast data is sent to our clients and therefore how much downstream bandwidth is available to them. Otherwise this class would have started borrowing bandwidth from other classes, something we will discuss later. Ok, now we've told the kernel what our classes are, but not yet how to manage the queues.

Now there is only one thing left for you to do and that is to tell the kernel which packages belong to which class.

What to do with excess bandwidth

Class subdivisions

This assumes that our office is behind an IP address firewall and that all our other IP addresses should be considered part of the ISP. Now that we've allocated enough bandwidth downstream, we need to do the same for upstream.

Loadsharing over multiple interfaces

Caveats

While this isn't a problem for links with many different TCP/IP sessions, you won't be able to bundle multiple links and ftp a single file much faster unless your receiving or sending operating system is Linux, which isn't. easily shaken by a simple rearrangement. By far the most commonly used is the pfifo fast queue - this is the default.

Stochastic Fairness Queueing

It is less accurate than others, but it also requires fewer calculations while being almost completely fair. The key word in SFQ is conversation (or flow), being a series of data packets with enough common parameters to distinguish them from other conversations. The discipline runs in round robin, sending one packet from each FIFO in one turn, which is why it is called fair.

The main advantage of SFQ is that it allows fair connection sharing between several applications and prevents a client from taking up bandwidth.

Token Bucket Filter

Random Early Detect

Ingress policer qdisc

DSMARK

  • Introduction
  • What is Dsmark related to?
  • Differentiated Services guidelines
  • Working with Dsmark
  • How SCH DSMARK works
  • TC INDEX Filter

The skb->tc index value is initially set by the DSMARK qdisc and retrieves it from the DS field in the IP header of each received packet. Set tc-index: Instructs dsmark discipline to get the DS field and store it in skb->tc index. As we explained earlier, dsmark qdisc, identified by 1:0 id in the example, retrieves the DS field and stores it in the index variable skb->tc.

If there is a filter with this id, the control and measurement conditions will be verified (in case the filter includes this) and the classification will be returned (in our example, classid 2:1) and stored in the index variable skb- >tc.

WRR

Note that in general there are many ways you can classify packages and it generally comes down to your preference as to which system to use. Now we just need to specify that we want the packets tagged with the mark 1 to go to class 1:1. Link a filter with priority 1 to the 1:0 class to filter all packets marked 1 in the firewall to class 1:1.

Note that you can use the full power of firewall code with this classification, including matching MAC addresses, user IDs, and anything else the firewall can match.

The ”u32” classifier

U32 selector

As you can guess, this match is ambiguous without context and we will discuss this later. Once we've understood all of the above, we'll find that the next selector is pretty easy to read: match c0a80100/ffffff00 at 16. Here we have a three-byte match at the 17th byte, counting from the start of the IP header.

General selectors

Specific selectors

The TOS field starts at the second byte of the packet and is one byte in size, so we can write an equivalent general selector: match u8 0x10 0xff at 1. This gives us a hint to the inside of the U32 filter - the specific rules are always translated into general ones, and in this form they are stored in kernel memory. This leads to another conclusion: the tc and udp selectors are exactly the same and therefore you cannot use the singlematch tcp dst 53 0xffff selector to match TCP packets sent to a particular port. They will also match UDP packets sent to this port.

You must remember to also specify the protocol and end with the following rule:.

The ”route” classifier

The ”rsvp” classifier

The ”tcindex” classifier

Going by the example above, if a packet arrived at a Linux router on eth1 claiming to come from the Office+ISP subnet, it would be dropped. Similarly, if a packet came from Office's subnet and claimed to be from somewhere outside your firewall, it would also be dropped. This is because full filtering breaks in the case of asymmetric routing (where packets come in one way and go out the other, such as satellite traffic, or if you have dynamic (bgp, ospf, rip) routes in your network. Data is dropped via satellite dish and responses are returned via normal landlines).

If this exception applies to you (and you'll probably know if it does), you can simply turn off therp\_filter on the interface where the satellite data comes in.

Obscure settings

Generic ipv4

Per device settings

Neighbor pollicy

Routing settings

Protecting your host from SYN floods

Ratelimit ICMP to prevent dDoS

Prioritizing interactive traffic

Transparent web-caching using netfilter, iproute2, ipchains and squid

Traffic flow diagram after implementation

Note that the network is asymmetric since there is an extra hop on the general outgoing path. Here the packet that crosses the network from kaosarn to and from the Internet has been crashed.

Circumventing Path MTU Discovery issues with per route MTU settings

Solution

When you encounter sites that suffer from this problem, you can disable path MTU discovery by setting it manually. The following problem: I set the mtu/mru of my leased line running ppp to 296 because it's only 33k6 and I can't affect the queue on the other end. I checked what could be wrong and noticed that I already had some previous problems reaching some MTU related websites, as I had no problem reaching them when the MTU was 1500, the problem just appeared when the MTU was set in 296.

Circumventing Path MTU Discovery issues with MSS Clamping (for ADSL, cable, PPPoE &

The bad thing is that it's an obvious hack - it breaks 'end to end' by changing packages. Bridges are often installed when faced with a broken network that needs to be repaired without modification. Another good thing is that a bridge can often be replaced by a crossover cable or hub if it breaks.

The bad news is that a bridge can cause a lot of confusion if it is not very well documented.

State of bridging and iptables

That said, we use this trick in a lot of places and it works like a charm. Use this if you have VoIP with small packets and huge http packets that cause stuttering in your voice calls. Since the bridge is a layer-2 device, one layer below IP, routers and servers are unaware of its existence.

It doesn't show up in traceroutes, but somehow packets disappear or change from point A to point B.

Bridging and shaping

You also have to ask yourself if an organization that 'doesn't want to change anything' is doing the right thing.

Pseudo-bridges with Proxy-ARP

ARP & Proxy-ARP

Implementing it

Create routes so your computer knows which hosts reside on the left and which on the right. Enable proxy-ARP on both interfaces, echo 1>/proc/sys/net/ipv4/conf/ethL/proxy arp, echo 1>. Another thing you may notice during the conversion is that you need to clear the arp cache of the computers on the network - the arp cache may contain old pre-bridge hardware addresses that are no longer correct.

On a Cisco this is done with the command 'clear arp-cache', under Linux, use 'arp -d ip.address'.

Advanced uses of the packet queueing system

When converting a real bridge, this flag may be disabled because it is not needed when bridging. You can also wait for the cache to expire manually, which can take quite a while. This section is for all you folks who either want to understand why the whole system works or have a configuration so bizarre you need to know everything to make it work.

It is quite possible that this section will be quite complicated and really not intended for normal users.

Other packet shaping systems

Cisco Systems Designing Large-Scale IP Internet Networks . Virtual Router Redundancy Protocol Implementation (site) .

IOS Dedicated Access Rate .

Referensi

Unduh sekarang ( PDF - 64 Halaman - 288.36 KB )

Garis besar

WRR Transparent web-caching using netfilter, iproute2, ipchains and squid Generic ipv4 Routing settings Other packet shaping systems

Dokumen terkait

Information And Communication Technology Adoption By Women Entrepreneurs In Indonesia

any knowledge about how to operate computers, also no one can help them to access the technology, (2 ) Participants considered that internet usage will cost them significantly, so